dependency-update-bot

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md and references/changelog-patterns.md explicitly direct the agent to fetch changelogs and release notes from public third‑party sources (GitHub Releases/raw CHANGELOG.md, npm registry, PyPI) and feed that untrusted text into Gemini and the bot's decision logic (risk escalation, PR creation), so external content can materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires a GEMINI_API_KEY and at runtime sends fetched changelogs into a generation request to the external model endpoint https://generativelanguage.googleapis.com/v1beta/models/gemini-2.0-flash:generateContent?key=$GEMINI_API_KEY (while also fetching raw changelogs from GitHub APIs/raw.githubusercontent.com), so remote content fetched during the run is injected into the model prompt and the external Gemini service executes generation — meeting the conditions for high-confidence prompt-injection/execution risk.